RE: Certificate and showing a sign-cert not there

2022-02-09 Thread Wayne Spivak 
To all, we finally succeeded in solving the problem.

 

I believe changing the Servercert to Servercert + Intermediate solved the issue.

 

Thank you all for your help.

RE: Certificate and showing a sign-cert not there

2022-02-09 Thread Wayne Spivak 
That I have, thank you Justina

 

From: dovecot  On Behalf Of justina colmena ~biz
Sent: Tuesday, February 8, 2022 8:57 PM
To: dovecot@dovecot.org
Subject: RE: Certificate and showing a sign-cert not there

 

You shouldn't need a root in the full chain, because the client already has to 
have the root cert, but you do need all the links in the chain up to the root.

On February 8, 2022 4:13:06 PM AKST, Wayne Spivak mailto:wspi...@sbanetweb.com> > wrote:

Justina,

 

The vendor I have, which is having the difficulty is still saying he gets a 
self-signed cert… but as I showed in my last email after I added Intermediate 
to the certificate, everything was ok.

 

So ServerCert, Intermediate, Root in same file should solve this?

 

Wayne

From: dovecot mailto:dovecot-boun...@dovecot.org> 
> On Behalf Of justina colmena ~biz
Sent: Tuesday, February 8, 2022 2:44 PM
To: dovecot@dovecot.org <mailto:dovecot@dovecot.org> 
Subject: Re: Certificate and showing a sign-cert not there

 

In general:

Lots of mail servers out in the wild do not require TLS or even bother to 
verifying TLS certificates when connecting to a remote server on port 25.

However, desktop and mobile email *clients* tend to be much stricter about 
verifying server certificates when connecting via SSL or TLS, mainly to protect 
user passwords.

Sometimes the server certificate needs to be presented with a "full chain" 
appended to it for verification. That has been an issue before when I've used 
some certs, particularly StartSSL before Letsencrypt started offering free 
certs.

On February 8, 2022 5:53:34 AM AKST, Wayne Spivak mailto:wspi...@sbanetweb.com> > wrote:

Hi –

 

I am running Postfix 3.6.4 with Dovecot 2.3.17.1 (476cd46418).

 

I have a multi-signed cert from Entrust.

 

The cert works fine on port 25.

 

However, on Port 587 I get an error: c

 

[root@mcq wbs]# openssl s_client -connect mcq.sbanetweb.com:993 -servername 
mcq.sbanetweb.com

CONNECTED(0003)

depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN = 
mcq.sbanetweb.com

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN = 
mcq.sbanetweb.com

verify error:num=21:unable to verify the first certificate

verify return:1

depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN = 
mcq.sbanetweb.com

verify return:1

---

Certificate chain

0 s:C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN = 
mcq.sbanetweb.com

   i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms 
<http://www.entrust.net/legal-terms> , OU = "(c) 2012 Entrust, Inc. - for 
authorized use only", CN = Entrust Certification Authority - L1K

 

 

[root@mcq wbs]# dovecot -n

# 2.3.17.1 (476cd46418): /etc/dovecot/dovecot.conf

# OS: Linux 5.16.5-200.fc35.x86_64 x86_64 Fedora release 35 (Thirty Five)

# Hostname: mcq.sbanetweb.com

auth_mechanisms = plain login

disable_plaintext_auth = no

mbox_write_locks = fcntl

namespace inbox {

  inbox = yes

  location =

  mailbox Drafts {

special_use = \Drafts

  }

  mailbox Junk {

special_use = \Junk

  }

  mailbox Sent {

special_use = \Sent

  }

  mailbox "Sent Messages" {

special_use = \Sent

  }

  mailbox Trash {

special_use = \Trash

  }

  prefix =

}

passdb {

  driver = pam

}

protocols = imap

service auth {

  unix_listener /var/spool/postfix/private/auth {

group = postfix

mode = 0666

user = postfix

  }

  unix_listener auth-userdb {

group = postfix

mode = 0666

user = postfix

  }

}

service imap-login {

  inet_listener imap {

port = 143

  }

  inet_listener imaps {

port = 993

ssl = yes

  }

}

service submission-login {

  inet_listener submission {

port = 587

  }

}

ssl = required

ssl_cert =

Re: RE: Certificate and showing a sign-cert not there

2022-02-09 Thread Jochen Bern 

On 09.02.22 02:13, Wayne Spivak wrote:

The vendor I have, which is having the difficulty is still
saying he gets a self-signed cert… but as I showed in my
last email after I added Intermediate to the certificate,
everything was ok.


"*A* self-signed cert" would match the root cert that your have (had?) 
in your chain, though it would be unusual that *that* would prompt a 
client to complain.


"*Only* a self-signed cert" would likely be some middleboxes' doing. As 
justina pointed out, e-mail systems are still not in the habit of doing 
full verification of certs, so MitM attacks are definitely possible.


[Still vividly remembers finding that a certain camping ground's WiFi 
transparently redirects geusts' SMTP/IMAP to a snooping, SSL-enabled 
server ...]


Kind regards,
--
Jochen Bern
Systemingenieur

Binect GmbH


smime.p7s
Description: S/MIME Cryptographic Signature

Re: Certificate and showing a sign-cert not there

2022-02-08 Thread Plutocrat 

  
  
Random addition to this thread, in case it helps ... recently had
  a client reporting certificate problems after Letsencrypt changed
  their root certificate late last year. Long story short: it boiled
  down to the fact he was using an ancient version of Outlook which
  didn't have the necessary root certificates to verify the new
  Letsencrypt cross-signed root cert. More recent versions of
  Outlook were fine. So maybe that's another line of inquiry? 

P.

On 09/02/2022 09.56, justina colmena
  ~biz wrote:


  
  
  You shouldn't need a root in the full
  chain, because the client already has to have the root cert, but
  you do need all the links in the chain up to the root.
  
  On February 8, 2022 4:13:06 PM AKST,
Wayne Spivak  wrote:

  
Justina,
 
The vendor I have, which is having the
  difficulty is still saying he gets a self-signed cert… but
  as I showed in my last email after I added Intermediate to
  the certificate, everything was ok.
 
So ServerCert, Intermediate, Root in
  same file should solve this?
 
Wayne

  
From: dovecot
   On Behalf Of justina
  colmena ~biz
  Sent: Tuesday, February 8, 2022 2:44 PM
  To: dovecot@dovecot.org
  Subject: Re: Certificate and showing a
  sign-cert not there
  

 
In
  general:
  
  Lots of mail servers out in the wild do not require TLS or
  even bother to verifying TLS certificates when connecting
  to a remote server on port 25.
  
  However, desktop and mobile email *clients* tend to be
  much stricter about verifying server certificates when
  connecting via SSL or TLS, mainly to protect user
  passwords.
  
  Sometimes the server certificate needs to be presented
  with a "full chain" appended to it for verification. That
  has been an issue before when I've used some certs,
  particularly StartSSL before Letsencrypt started offering
  free certs.

  On February 8, 2022 5:53:34 AM AKST,
Wayne Spivak <wspi...@sbanetweb.com>
wrote:
  
Hi –
 
I am running Postfix 3.6.4 with
  Dovecot 2.3.17.1 (476cd46418).
 
I have a multi-signed cert from
  Entrust.
 
The cert works fine on port 25.
 
However, on Port 587 I get an
  error: c
 
[root@mcq wbs]# openssl s_client
  -connect mcq.sbanetweb.com:993 -servername
  mcq.sbanetweb.com
CONNECTED(0003)
depth=0 C = US, ST = New York, L =
  Bellmore, O = SBA  Consulting LTD, CN =
  mcq.sbanetweb.com
verify error:num=20:unable to get
  local issuer certificate
verify return:1
depth=0 C = US, ST = New York, L =
  Bellmore, O = SBA  Consulting LTD, CN =
  mcq.sbanetweb.com
verify error:num=21:unable to
  verify the first certificate
verify return:1
depth=0 C = US, ST = New York, L =
  Bellmore, O = SBA  Consulting LTD, CN =
  mcq.sbanetweb.com
verify return:1
---
Certificate chain
0 s:C = US, ST = New York, L =
  Bellmore, O = SBA  Consulting LTD, CN =
  mcq.sbanetweb.com

     i:C = US, O = "Entrust, Inc.",
OU = See www.entrust.net/legal-terms,
OU = "(c) 2012 Entrust, Inc. - for authorized use
only", CN = Entrust Certification Authority - L1K

 
 
[root@mcq wbs]# dovecot -n
# 2.3.17.1 (476cd46418):
  /etc/dovecot/dovecot.conf
# OS: Linux 5.16.5-200.fc35.x86_64
  x86_64 Fedora release 35 (Thirty Five)
# Hostname: mcq.sbanetweb.com
auth_mechanisms = plain login
disable_plaintext_auth = no
mbox_write_locks = fcntl
namespace inbox {
  inbox = yes
  locatio

RE: Certificate and showing a sign-cert not there

2022-02-08 Thread justina colmena ~biz 
You shouldn't need a root in the full chain, because the client already has to 
have the root cert, but you do need all the links in the chain up to the root.

On February 8, 2022 4:13:06 PM AKST, Wayne Spivak  wrote:
>Justina,
>
> 
>
>The vendor I have, which is having the difficulty is still saying he gets a 
>self-signed cert… but as I showed in my last email after I added Intermediate 
>to the certificate, everything was ok.
>
> 
>
>So ServerCert, Intermediate, Root in same file should solve this?
>
> 
>
>Wayne
>
>From: dovecot  On Behalf Of justina colmena ~biz
>Sent: Tuesday, February 8, 2022 2:44 PM
>To: dovecot@dovecot.org
>Subject: Re: Certificate and showing a sign-cert not there
>
> 
>
>In general:
>
>Lots of mail servers out in the wild do not require TLS or even bother to 
>verifying TLS certificates when connecting to a remote server on port 25.
>
>However, desktop and mobile email *clients* tend to be much stricter about 
>verifying server certificates when connecting via SSL or TLS, mainly to 
>protect user passwords.
>
>Sometimes the server certificate needs to be presented with a "full chain" 
>appended to it for verification. That has been an issue before when I've used 
>some certs, particularly StartSSL before Letsencrypt started offering free 
>certs.
>
>On February 8, 2022 5:53:34 AM AKST, Wayne Spivak <mailto:wspi...@sbanetweb.com> > wrote:
>
>Hi –
>
> 
>
>I am running Postfix 3.6.4 with Dovecot 2.3.17.1 (476cd46418).
>
> 
>
>I have a multi-signed cert from Entrust.
>
> 
>
>The cert works fine on port 25.
>
> 
>
>However, on Port 587 I get an error: c
>
> 
>
>[root@mcq wbs]# openssl s_client -connect mcq.sbanetweb.com:993 -servername 
>mcq.sbanetweb.com
>
>CONNECTED(0003)
>
>depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN = 
>mcq.sbanetweb.com
>
>verify error:num=20:unable to get local issuer certificate
>
>verify return:1
>
>depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN = 
>mcq.sbanetweb.com
>
>verify error:num=21:unable to verify the first certificate
>
>verify return:1
>
>depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN = 
>mcq.sbanetweb.com
>
>verify return:1
>
>---
>
>Certificate chain
>
>0 s:C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN = 
>mcq.sbanetweb.com
>
>   i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms 
> <http://www.entrust.net/legal-terms> , OU = "(c) 2012 Entrust, Inc. - for 
> authorized use only", CN = Entrust Certification Authority - L1K
>
> 
>
> 
>
>[root@mcq wbs]# dovecot -n
>
># 2.3.17.1 (476cd46418): /etc/dovecot/dovecot.conf
>
># OS: Linux 5.16.5-200.fc35.x86_64 x86_64 Fedora release 35 (Thirty Five)
>
># Hostname: mcq.sbanetweb.com
>
>auth_mechanisms = plain login
>
>disable_plaintext_auth = no
>
>mbox_write_locks = fcntl
>
>namespace inbox {
>
>  inbox = yes
>
>  location =
>
>  mailbox Drafts {
>
>special_use = \Drafts
>
>  }
>
>  mailbox Junk {
>
>special_use = \Junk
>
>  }
>
>  mailbox Sent {
>
>special_use = \Sent
>
>  }
>
>  mailbox "Sent Messages" {
>
>special_use = \Sent
>
>  }
>
>  mailbox Trash {
>
>special_use = \Trash
>
>  }
>
>  prefix =
>
>}
>
>passdb {
>
>  driver = pam
>
>}
>
>protocols = imap
>
>service auth {
>
>  unix_listener /var/spool/postfix/private/auth {
>
>group = postfix
>
>mode = 0666
>
>user = postfix
>
>  }
>
>  unix_listener auth-userdb {
>
>group = postfix
>
>mode = 0666
>
>user = postfix
>
>  }
>
>}
>
>service imap-login {
>
>  inet_listener imap {
>
>port = 143
>
>  }
>
>  inet_listener imaps {
>
>port = 993
>
>ssl = yes
>
>  }
>
>}
>
>service submission-login {
>
>  inet_listener submission {
>
>port = 587
>
>  }
>
>}
>
>ssl = required
>
>ssl_cert = 
>ssl_cipher_list = 
>ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-S

RE: Certificate and showing a sign-cert not there

2022-02-08 Thread Wayne Spivak 
Justina,

 

The vendor I have, which is having the difficulty is still saying he gets a 
self-signed cert… but as I showed in my last email after I added Intermediate 
to the certificate, everything was ok.

 

So ServerCert, Intermediate, Root in same file should solve this?

 

Wayne

From: dovecot  On Behalf Of justina colmena ~biz
Sent: Tuesday, February 8, 2022 2:44 PM
To: dovecot@dovecot.org
Subject: Re: Certificate and showing a sign-cert not there

 

In general:

Lots of mail servers out in the wild do not require TLS or even bother to 
verifying TLS certificates when connecting to a remote server on port 25.

However, desktop and mobile email *clients* tend to be much stricter about 
verifying server certificates when connecting via SSL or TLS, mainly to protect 
user passwords.

Sometimes the server certificate needs to be presented with a "full chain" 
appended to it for verification. That has been an issue before when I've used 
some certs, particularly StartSSL before Letsencrypt started offering free 
certs.

On February 8, 2022 5:53:34 AM AKST, Wayne Spivak mailto:wspi...@sbanetweb.com> > wrote:

Hi –

 

I am running Postfix 3.6.4 with Dovecot 2.3.17.1 (476cd46418).

 

I have a multi-signed cert from Entrust.

 

The cert works fine on port 25.

 

However, on Port 587 I get an error: c

 

[root@mcq wbs]# openssl s_client -connect mcq.sbanetweb.com:993 -servername 
mcq.sbanetweb.com

CONNECTED(0003)

depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN = 
mcq.sbanetweb.com

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN = 
mcq.sbanetweb.com

verify error:num=21:unable to verify the first certificate

verify return:1

depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN = 
mcq.sbanetweb.com

verify return:1

---

Certificate chain

0 s:C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN = 
mcq.sbanetweb.com

   i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms 
<http://www.entrust.net/legal-terms> , OU = "(c) 2012 Entrust, Inc. - for 
authorized use only", CN = Entrust Certification Authority - L1K

 

 

[root@mcq wbs]# dovecot -n

# 2.3.17.1 (476cd46418): /etc/dovecot/dovecot.conf

# OS: Linux 5.16.5-200.fc35.x86_64 x86_64 Fedora release 35 (Thirty Five)

# Hostname: mcq.sbanetweb.com

auth_mechanisms = plain login

disable_plaintext_auth = no

mbox_write_locks = fcntl

namespace inbox {

  inbox = yes

  location =

  mailbox Drafts {

special_use = \Drafts

  }

  mailbox Junk {

special_use = \Junk

  }

  mailbox Sent {

special_use = \Sent

  }

  mailbox "Sent Messages" {

special_use = \Sent

  }

  mailbox Trash {

special_use = \Trash

  }

  prefix =

}

passdb {

  driver = pam

}

protocols = imap

service auth {

  unix_listener /var/spool/postfix/private/auth {

group = postfix

mode = 0666

user = postfix

  }

  unix_listener auth-userdb {

group = postfix

mode = 0666

user = postfix

  }

}

service imap-login {

  inet_listener imap {

port = 143

  }

  inet_listener imaps {

port = 993

ssl = yes

  }

}

service submission-login {

  inet_listener submission {

port = 587

  }

}

ssl = required

ssl_cert =

Re: Certificate and showing a sign-cert not there

2022-02-08 Thread justina colmena ~biz 
In general:

Lots of mail servers out in the wild do not require TLS or even bother to 
verifying TLS certificates when connecting to a remote server on port 25.

However, desktop and mobile email *clients* tend to be much stricter about 
verifying server certificates when connecting via SSL or TLS, mainly to protect 
user passwords.

Sometimes the server certificate needs to be presented with a "full chain" 
appended to it for verification. That has been an issue before when I've used 
some certs, particularly StartSSL before Letsencrypt started offering free 
certs.

On February 8, 2022 5:53:34 AM AKST, Wayne Spivak  wrote:
>Hi -
>
> 
>
>I am running Postfix 3.6.4 with Dovecot 2.3.17.1 (476cd46418).
>
> 
>
>I have a multi-signed cert from Entrust.
>
> 
>
>The cert works fine on port 25.
>
> 
>
>However, on Port 587 I get an error: c
>
> 
>
>[root@mcq wbs]# openssl s_client -connect mcq.sbanetweb.com:993 -servername
>mcq.sbanetweb.com
>
>CONNECTED(0003)
>
>depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN =
>mcq.sbanetweb.com
>
>verify error:num=20:unable to get local issuer certificate
>
>verify return:1
>
>depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN =
>mcq.sbanetweb.com
>
>verify error:num=21:unable to verify the first certificate
>
>verify return:1
>
>depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN =
>mcq.sbanetweb.com
>
>verify return:1
>
>---
>
>Certificate chain
>
>0 s:C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN =
>mcq.sbanetweb.com
>
>   i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms
> , OU = "(c) 2012 Entrust, Inc. - for
>authorized use only", CN = Entrust Certification Authority - L1K
>
> 
>
> 
>
>[root@mcq wbs]# dovecot -n
>
># 2.3.17.1 (476cd46418): /etc/dovecot/dovecot.conf
>
># OS: Linux 5.16.5-200.fc35.x86_64 x86_64 Fedora release 35 (Thirty Five)
>
># Hostname: mcq.sbanetweb.com
>
>auth_mechanisms = plain login
>
>disable_plaintext_auth = no
>
>mbox_write_locks = fcntl
>
>namespace inbox {
>
>  inbox = yes
>
>  location =
>
>  mailbox Drafts {
>
>special_use = \Drafts
>
>  }
>
>  mailbox Junk {
>
>special_use = \Junk
>
>  }
>
>  mailbox Sent {
>
>special_use = \Sent
>
>  }
>
>  mailbox "Sent Messages" {
>
>special_use = \Sent
>
>  }
>
>  mailbox Trash {
>
>special_use = \Trash
>
>  }
>
>  prefix =
>
>}
>
>passdb {
>
>  driver = pam
>
>}
>
>protocols = imap
>
>service auth {
>
>  unix_listener /var/spool/postfix/private/auth {
>
>group = postfix
>
>mode = 0666
>
>user = postfix
>
>  }
>
>  unix_listener auth-userdb {
>
>group = postfix
>
>mode = 0666
>
>user = postfix
>
>  }
>
>}
>
>service imap-login {
>
>  inet_listener imap {
>
>port = 143
>
>  }
>
>  inet_listener imaps {
>
>port = 993
>
>ssl = yes
>
>  }
>
>}
>
>service submission-login {
>
>  inet_listener submission {
>
>port = 587
>
>  }
>
>}
>
>ssl = required
>
>ssl_cert = 
>ssl_cipher_list =
>ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-G
>CM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AE
>S128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA25
>6:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-
>ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES1
>28-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE
>-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES12
>8-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNUL
>L:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-D
>ES-CBC3-SHA:!KRB5-DES-CBC3-SHA
>
>ssl_client_ca_dir = /etc/postfix/tls/
>
>ssl_client_ca_file = ChainBundle.pem
>
>ssl_dh = # hidden, use -P to show it
>
>ssl_key = # hidden, use -P to show it
>
>ssl_prefer_server_ciphers = yes
>
>userdb {
>
>  driver = passwd
>
>}
>
>protocol imap {
>
>  mail_max_userip_connections = 15
>
>}
>
> 
>
>Any ideas?
>
> 
>
>Wayne Spivak
>
>SBANETWEB.com
>

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

RE: Certificate and showing a sign-cert not there

2022-02-08 Thread Wayne Spivak 
Hi Christian,

Thanks for answering.  I think you found my issue.

I now get:

[root@mcq wbs]# openssl s_client -connect mcq.sbanetweb.com:993 -servername
mcq.sbanetweb.com
CONNECTED(0003)
depth=2 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms,
OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root
Certification Authority - G2
verify return:1
depth=1 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms,
OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust
Certification Authority - L1K
verify return:1
depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN =
mcq.sbanetweb.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN =
mcq.sbanetweb.com
   i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU =
"(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust
Certification Authority - L1K
 1 s:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU =
"(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust
Certification Authority - L1K
   i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU =
"(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root
Certification Authority - G2
---

I hope this fixes the issue?

THANK YOU

Wayne


-Original Message-
From: dovecot  On Behalf Of Christian Kivalo
Sent: Tuesday, February 8, 2022 11:48 AM
To: dovecot@dovecot.org
Subject: Re: Certificate and showing a sign-cert not there



On 2022-02-08 15:53, Wayne Spivak wrote:
> Hi -
> 
> I am running Postfix 3.6.4 with Dovecot 2.3.17.1 (476cd46418).
> 
> I have a multi-signed cert from Entrust.
> 
> The cert works fine on port 25.
Certificates on port 25 verify ok for me.
> 
> However, on Port 587 I get an error: c
Certificates on port 587 verify ok for me.
> 
> [root@mcq wbs]# openssl s_client -connect mcq.sbanetweb.com:993 
> -servername mcq.sbanetweb.com

Now you check port 993? For me the certificates also don't verify on port
993.

Have you built your certificate file correctly?
The intermediate cert seems to be missing.

For port 25, 587 you send a chain of 3 certificates.
For port 993 you only send one certificate.

> 
> CONNECTED(0003)
> 
> depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, 
> CN = mcq.sbanetweb.com
> 
> verify error:num=20:unable to get local issuer certificate
> 
> verify return:1
> 
> depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, 
> CN = mcq.sbanetweb.com
> 
> verify error:num=21:unable to verify the first certificate
> 
> verify return:1
> 
> depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, 
> CN = mcq.sbanetweb.com
> 
> verify return:1
> 
> ---
> 
> Certificate chain
> 
>  0 s:C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN 
> = mcq.sbanetweb.com
> 
>i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms 
> [1], OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = 
> Entrust Certification Authority - L1K
> 
> [root@mcq wbs]# dovecot -n
> 
> # 2.3.17.1 (476cd46418): /etc/dovecot/dovecot.conf
> 
> # OS: Linux 5.16.5-200.fc35.x86_64 x86_64 Fedora release 35 (Thirty
> Five)
> 
> # Hostname: mcq.sbanetweb.com
> 
> auth_mechanisms = plain login
> 
> disable_plaintext_auth = no
> 
> mbox_write_locks = fcntl
> 
> namespace inbox {
> 
>   inbox = yes
> 
>   location =
> 
>   mailbox Drafts {
> 
> special_use = \Drafts
> 
>   }
> 
>   mailbox Junk {
> 
> special_use = \Junk
> 
>   }
> 
>   mailbox Sent {
> 
> special_use = \Sent
> 
>   }
> 
>   mailbox "Sent Messages" {
> 
> special_use = \Sent
> 
>   }
> 
>   mailbox Trash {
> 
> special_use = \Trash
> 
>   }
> 
>   prefix =
> 
> }
> 
> passdb {
> 
>   driver = pam
> 
> }
> 
> protocols = imap
> 
> service auth {
> 
>   unix_listener /var/spool/postfix/private/auth {
> 
> group = postfix
> 
> mode = 0666
> 
> user = postfix
> 
>   }
> 
>   unix_listener auth-userdb {
> 
> group = postfix
> 
> mode = 0666
> 
> user = postfix
> 
>   }
> 
> }
> 
> service imap-login {
> 
>   inet_listener imap {
> 
> port = 143
> 
>   }
> 
>   inet_listener imaps {
> 
> port = 993
> 
> ssl = yes
> 
>   }
> 
> }
> 
> service submission-login {
> 
>   inet_listener submission {
> 
> p

Re: Certificate and showing a sign-cert not there

2022-02-08 Thread Christian Kivalo 




On 2022-02-08 15:53, Wayne Spivak wrote:

Hi -

I am running Postfix 3.6.4 with Dovecot 2.3.17.1 (476cd46418).

I have a multi-signed cert from Entrust.

The cert works fine on port 25.

Certificates on port 25 verify ok for me.


However, on Port 587 I get an error: c

Certificates on port 587 verify ok for me.


[root@mcq wbs]# openssl s_client -connect mcq.sbanetweb.com:993
-servername mcq.sbanetweb.com


Now you check port 993? For me the certificates also don't verify on 
port 993.


Have you built your certificate file correctly?
The intermediate cert seems to be missing.

For port 25, 587 you send a chain of 3 certificates.
For port 993 you only send one certificate.



CONNECTED(0003)

depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD,
CN = mcq.sbanetweb.com

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD,
CN = mcq.sbanetweb.com

verify error:num=21:unable to verify the first certificate

verify return:1

depth=0 C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD,
CN = mcq.sbanetweb.com

verify return:1

---

Certificate chain

 0 s:C = US, ST = New York, L = Bellmore, O = SBA  Consulting LTD, CN
= mcq.sbanetweb.com

   i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms
[1], OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN =
Entrust Certification Authority - L1K

[root@mcq wbs]# dovecot -n

# 2.3.17.1 (476cd46418): /etc/dovecot/dovecot.conf

# OS: Linux 5.16.5-200.fc35.x86_64 x86_64 Fedora release 35 (Thirty
Five)

# Hostname: mcq.sbanetweb.com

auth_mechanisms = plain login

disable_plaintext_auth = no

mbox_write_locks = fcntl

namespace inbox {

  inbox = yes

  location =

  mailbox Drafts {

special_use = \Drafts

  }

  mailbox Junk {

special_use = \Junk

  }

  mailbox Sent {

special_use = \Sent

  }

  mailbox "Sent Messages" {

special_use = \Sent

  }

  mailbox Trash {

special_use = \Trash

  }

  prefix =

}

passdb {

  driver = pam

}

protocols = imap

service auth {

  unix_listener /var/spool/postfix/private/auth {

group = postfix

mode = 0666

user = postfix

  }

  unix_listener auth-userdb {

group = postfix

mode = 0666

user = postfix

  }

}

service imap-login {

  inet_listener imap {

port = 143

  }

  inet_listener imaps {

port = 993

ssl = yes

  }

}

service submission-login {

  inet_listener submission {

port = 587

  }

}

ssl = required

ssl_cert = 
In what order are the certificates in here?

See 
https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/#id7




ssl_cipher_list =
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

ssl_client_ca_dir = /etc/postfix/tls/

ssl_client_ca_file = ChainBundle.pem

ssl_dh = # hidden, use -P to show it

ssl_key = # hidden, use -P to show it

ssl_prefer_server_ciphers = yes

userdb {

  driver = passwd

}

protocol imap {

  mail_max_userip_connections = 15

}

Any ideas?

Wayne Spivak

SBANETWEB.com

Links:
--
[1] http://www.entrust.net/legal-terms


--
 Christian Kivalo